n8n: Python sandbox escape

Vulnerability

The vulnerability resides in the Python Code Node within n8n workflows. When the Python Task Runner is enabled, an authenticated user with permission to create or modify workflows can inject Python code that escapes the sandbox environment, leading to arbitrary code execution on the task runner container [1][2]. This affects all n8n versions prior to the fixes in 1.123.48, 2.21.8, and 2.22.4 [1][2].

Exploitation

To exploit, an attacker must have an account with privileges to create or edit workflows. The attacker creates or modifies a workflow to include a Python Code node and supplies malicious Python code that bypasses the sandbox restrictions. No additional user interaction is required, and the attack can be launched remotely over the network [1][2].

Impact

Successful exploitation grants the attacker arbitrary code execution on the task runner container. This compromises the confidentiality and integrity of the container, potentially allowing access to sensitive data or further lateral movement within the environment. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N [1].

Mitigation

The issue was patched in n8n releases 1.123.48, 2.21.8, and 2.22.4 [1][2]. Users should upgrade to one of these versions or later. If immediate upgrade is not possible, administrators can temporarily reduce risk by restricting workflow creation/editing to trusted users, disabling the Python Code node via the NODES_EXCLUDE environment variable, or disabling the Python Task Runner entirely [1]. These workarounds are not complete fixes [1].